Remove kzfree() after kclient list iteration to avoid invalid
pointer deference.
Change-Id: I78922269e219fcb16d3cff05f8b168a75a3c05ae
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
To avoid access of variable after being freed, using
list_first_entry_safe function to iterate over list
of given type, safe against removal of list entry.
Change-Id: I70611fddf3e9b80b1affa3e5235be24eac0d0a58
Signed-off-by: Monika Singh <monising@codeaurora.org>
When processing blocked listener request, ptr_app's app_blocked
flag should be set to prevent it being unloaded at this time;
Besides, need to check unblock request's scm_call response result
to see if it is blocked again; and removed redundant codes.
Change-Id: I2d72a88e9e600d6b7e944ae978b9d89a7b6db242
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to block system signals when qseecom is waiting for
a blocked listener becomes available. This will prevent qseecom
being waken up by power collapse and returning to kernel, which
may cause XPU violation as TA req/resp buffer is still XPU protected
at this time
Change-Id: Ie5ea16f11ad653937236de042afb1bb5710123e6
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
When new cmd with session_id is not supported by TZ, resend
continue blocked listener request with legacy cmd using app_id.
Also set dummy app_id in qseecom_process_listener_from_smcinvoke
to support legacy cmd.
Change-Id: Icafc77cece23daff0f2ceb89c10e82a822eb582a
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add support to process listener request from smcinvoke when
reentrancy is disabled.
Change-Id: I2ce030cf6d5104ca2dec1402634a05d425e6d474
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
When listener svc id does not exist, the listener svc entry pointer
is actualy invalid, and should be set to NULL to avoid invalid pointer
deference on cache operation when sending listener resp to TZ.
Change-Id: I6af0c7405c9dc5dfe481396979023968a8324dd0
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
When the thread processing blocked TA wakes up when listener
becames available, the listener may be unavailable again before
this thread grabs the global mutex, so make change to add a
while loop to check if listener available after wake up and hold
mutex.
Change-Id: Ib386faca7a44325142da1dc54e19a99f3173ec86
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
cmnlib_ion_handle is only used within qseecom_load_commonlib_image()
and is not a shared resource, so change it to a local variable and
avoid potential reuse or free by another thread in case of reentrancy.
Change-Id: I9e1f25cd024a19a7379b7409bdc6521bcd8bcae5
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Reset app_crash flag to make sure app entry is not freed when
there is another client still being blocked on the same app.
Change-Id: I25d236abc97e60fe8a4abbbc8c086291c764a9c1
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
make change to check return value of __qseecom_process_reentrancy,
and modify error processing.
Change-Id: I6a37de79f6c6b4245b9654ea9724b51e62b8e7a2
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
During qseecom driver probing, the ION driver is invoked.
This commit supports the case where the ION driver still hasn't
probed. In that case, the qseecom probing will be deferred, and
retried at a later stage.
Change-Id: Ic780e8fa1d48a9f5b8b98773c034b280475f5fd0
Signed-off-by: Amit Blay <ablay@codeaurora.org>
Update the function return value and input scm_ret variable
type for restore secure configuration in scm_restore_sec_cfg() fn.
Adding scm_ret input variable for scm_get_feat_version() fn.
Change-Id: Ideef914ded8dfdb4c780fd27d7273986eeb41f5c
Signed-off-by: Mohammed Khajapasha <mkhaja@codeaurora.org>
With the introduction of MinkIPC for TA-to-TA communication,
if a request for blocking a TA (on a busy listener) is received
by qseecom, it may not be originated from the last TA to which
a command (or unblock response) was sent to. So, make change
to use a session_id instead of app_id to uniquely identify this
blocked request and a new cmd ID to support this smcinvoke-aware
listener operation.
Change-Id: I362e9acfa52c055b5759c210bb881da40f4e0776
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The appname received by qseecom_start_app() can be non-null terminated
string beyond the max size check. Change strlen to strnlen.
CRs-fixed: 2062061
Change-Id: I845d244336b5c81cedb2153d1303585f16819d58
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Use put_user API to write the data from kernel space to
userspace to avoid accessing userspace memory directly
in kernel space.
Change-Id: I649fe2597e80ccad50cf16b355e220734810e94c
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
When listener unregister thread wakes up due to some system signals,
but not because ioctl_cnt <=1, it should return directly, instead of
continuing to remove listener list entry, which will lead kernel panic
when another listener receive thread accesses this freed entry.
Change-Id: I6ff97c56867d008232d7c50b22b372b0856c8dff
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
When a GP application is loaded and the crypto engine is accessed,
a NOC error will happen if CE clock is not enabled. Thus, add bus
scaling support for GP operations.
Change-Id: I59d63be9e08b2c135edc6ec224ec1a355434e1ec
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Initialize the hlos_ce_hw_instance[] array otherwise
this can lead to assigning qseecom.ce_drv.instance
with garbage value in failure cases.
Change-Id: I5b8fb574468a6a09fcd0f7f1dc7caf11f31374a7
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
Variable "load_img_req.img_len" and "load_img_req.mdt_len" are
from user land, so check their values against ion buf length
to avoid buffer overread on QSEE side.
Change-Id: I9e8bfe32d3b0cd5b441ad724543c56467fa5e4da
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
When __qseecom_check_app_exsits() and __qseecom_load_fw() get app_id
from TZ, they save it to function's return value then return back.
But "app_id" is of type uint32, "ret" is int32, this will return
incorrect app_id to the caller if app_id is larger than 0x7FFFFFFF.
Thus make change to return app_id correctly.
Change-Id: I2ef98d64490c480d5416ee24ec6ca9aca9c8ca8a
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add mutex around qseecom_set_client_mem_param to prevent an
ioctl thread modifying and corrupting data which is being
processed by another ioctl in the other thread
Change-Id: I0cfb8afab4001c2913be693dfe44c761b9568893
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Add new SCM ID to register listener when smcinvoke is supported. Then
TZ, depending on how the listener has been registered, will either
behave in the old way (i.e. rsp[1]=QSEE_LISTENER_ID), or the new way
(rsp[1]=app_id) when smcinvoke is supported. And qseecom will first
to register listener with new SCM ID, if failed, then fallback to
use old ID.
Change-Id: Ia27055db6ec8f26705669ee913919b29461121ca
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
scm call of send data will fail with EBUSY if there are more than one
TAs requesting listener services, add additional checks before scm call
and wait until no more than one listener request in the system.
Change-Id: Ic891e687062dc52f02639605f3bac0e1c4540a6f
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
release app list entry when __qseecom_get_fw_size() returns error.
Change-Id: I82406c39a2def87395811f442f39b57201766091
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change to improve input validation on request and response
buffers' address and length for qseecom_send_service_cmd.
Change-Id: I047e3264333d767541e43b7dadd1727232fd48ef
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
__qseecom_update_cmd_buf_64() called __qseecom_allocate_sg_list_buffer()
to allocate memory from within a for loop. Should it fail on any other
than the first time through the loop, the prior allocations will not be
deallocated, make change to deallocate memory in this error case.
Change-Id: I8cb71a3b141249d8266aec4890632f200d147405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Rename clock handles as per de-initialization sequence,
which is required to avoid the dangling pointers.
Change-Id: I9e0715e2a47f318acc414605ce8e624c432d6665
Signed-off-by: AnilKumar Chimata <anilc@codeaurora.org>
Add a new kernel API to support listener service for smcinvoke.
Change-Id: Ifeed957b99d2becd986629f60e145d6fdb717244
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
This change fixes issues reagrding the ioctl
QSEECOM_IOCTL_MDTP_CIPHER_DIP_REQ uncovered by fuzzy tests.
Modified handler of above ioctl, not to allow input/output
buffer sizes greater than a fixed defined size.
Change-Id: I69f94a29d939341564f6f3ebfda48fceaa934542
Signed-off-by: Brahmaji K <bkomma@codeaurora.org>
ICE crypto engine key size can now be configured using dtsi flag.
This is required to facilitate usage of common TZ image with variable
key sizes and also provides flexibility in handling different key sizes
requirement in future. This flag is parsed in driver and depending upon
the value HLOS decides on key size to be passed to TZ.
Change-Id: If40f83a943e5ae8333d171c21823a16816d7ddd4
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
Signed-off-by: Andrey Markovytch <andreym@codeaurora.org>
Perform a complete or adequate check of return codes for several
functions, including __qseecom_enable_clk, ion_do_cache_op and
ion_sg_table(), used by qseecom.
Change-Id: Ib1682bdc6d3034a22586af62a3d8986c54d369d5
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in qseecom_probe() to improve the error return value
checks on some subfunctions, and free memory allocated within
qseecom_retrieve_ce_data.
CRs-fixed: 1075082
Change-Id: I971e555ec8d02ccf4382e83132a696b065a8ff12
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
In an error handling case, the QSEECOM_IOCTL_LOAD_APP_REQ ioctl
freed the entry for new TA, but didn't removed it from
qseecom_registered_app_list. Make change to remove it.
Change-Id: Id681fbf3c923027d3db875d506cbe3f971919a8d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
-- Add whitelist support for listener to send modified resp to TZ;
-- support whitelist for kernel client;
-- Change the method to check whitelist feature.
Change-Id: I0030b0008d6224cda3fdc1f80308a7e9bcfe4405
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
ion_map_kernel() is called without checking for or acting upon the
possible error conditions this function may return, make change to
check its error return value.
CRs-fixed: 1081637
Change-Id: I0a34f0bbc9f2049b826777a31e14d2cf62cdc211
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
Make change in __qseecom_load_fw() and qseecom_load_commonlib_image()
to check buffer size before copying img to buffer.
CRs-fixed: 1080290
Change-Id: I0f48666ac948a9571e249598ae7cc19df9036b1d
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
The whitelist status is set default as true though TZ failed to check,
which in turn causing the send_command fail by passing whitelist commnd id.
So updating the support status flag to false when TZ fails to check.
Change-Id: I78a7600506b4d2457bb1c38f8a39888a9cf9467c
Signed-off-by: Mallikarjuna Reddy Amireddy <mamire@codeaurora.org>
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
To support whitelist feature, sglistinfo table should also
be allocated from qseecom kernel APIs used by kernel client.
Besides, initialize sg in __qseecom_update_cmd_buf_64 to
address a static analysis warning.
Change-Id: I1f1967fd9e95444cca728f09e3e8f4914b2abb95
Signed-off-by: Zhen Kong <zkong@codeaurora.org>
